How to successfully brew a Linux immutable image, with bells and whistles

• take a ParticleOS recipe 📜
• generously pour in packages from a traditional distribution like Fedora 🫗
• add a pinch of security policies for code integrity, build time and boot time customizations to taste 🧂
• amalgamate them together with systemd 👩🏻‍🍳
• stir vigorously with mkosi 🥣
• bake until crispy in the Open Build Service ♨️
• allow time to cool in your CDN 🥧

Creating a (truly!) immutable distribution with a strong security posture and a chain of trust that starts in the hardware and ends in userspace is no longer a job that requires an entire team and starting from first principles. With the power of tooling and infrastructure provided by the systemd project, anyone can customize, build and deploy at scale and securely starting from your preferred traditional package-based distribution.

This talk will go over all the tooling and infrastructure available to achieve this, from systemd to mkosi, from UEFI Secure Boot and dm-verity to the Integrity Policy Enforcement LSM, from OBS to systemd-sysupdate, from systemd-repart to systemd-firstboot, and show a working example and how to reproduce and customize it.